Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Not option to select CA

    Scheduled Pinned Locked Moved IPsec
    4 Posts 2 Posters 1.1k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J
      jgraham5481
      last edited by

      Hello, I am using pfSense 2.3.1_p5, whatever the latest release is. When I go to create a mobile IPSEC tunnel for the purposes of connecting a Windows client, I am not given the option to select a corresponding CA for the cert for Authentication. I know everything else is correct, per the logs, it errors out on CA is unknown, it's not just auto populating because I can see in the config, the CA option is blank, see below. Any ideas?

      <certref>57696cb3c0e23</certref>
      <caref></caref>

      1 Reply Last reply Reply Quote 0
      • C
        cmb
        last edited by

        The CA config is only for certain specific types, sounds like you're using a mode where it isn't relevant to specify the CA cert. What's the specific error you're getting?

        1 Reply Last reply Reply Quote 0
        • J
          jgraham5481
          last edited by

          The error I get on the Windows client is a 13801: IKE authentication credentials are unacceptable. I did the registry key for disabling EKU checking.

          The error I get in pfSense IPSEC log is Jun 22 08:22:14 charon 11[IKE] <16> received 25 cert requests for an unknown ca

          When I go to the config page VPN -> IPsec -> Mobile Clients -> Edit Phase 1
          under Phase 1 Proposal (Authentication), my authentication method is EAP-MSChapv2, which should require you specify a cert and it's CA, hence why one would have to import the CA cert to the mobile client.

          (When EAP_MSChapv2 is selected) After the section where you select the cert, there is the 1-2 pixel space then 2-3 pixels of what would be the start of a new section. Selecting other authentication methods either completes and adds the option to select a CA or takes away that 2-3 pixel space of what would be another section.

          Help me fix this, I've got a Smokey and the Bandit style bet going here, leveraging pfSense.

          1 Reply Last reply Reply Quote 0
          • C
            cmb
            last edited by

            It knows the CA by which cert you pick, no need to configure it. You probably missed part of the client instructions, either didn't import the CA, or didn't import it to the right place.

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.